Ctrl + K
/ news / CVE
CVEPublished 2024-01-11Modified 2026-04-080 articles on news7 live referencesNVD data

CVE-2023-6446Dwbooster · Calculated_fields_form

Vulnerability data via NVD (ingested)

CVSS v3.1
4.4
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
EPSS percentile
42
Exploit Prediction Scoring System · top 58% of all CVEs
Weaknesses (CWE)
CWE-87Improper Neutralization of Alternate XSS SyntaxCWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Timeline
Published 2024-01-11
Modified 2026-04-08

External references

NVDMITREExploit-DBGitHub PoCSploitustrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2023-6446
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · WP plugin path
http.html:"/wp-content/plugins/calculated-fields-form/"
Matches any site loading the "calculated-fields-form" plugin — doesn't rely on Shodan's vuln tag.
Shodan · product
product:"Dwbooster Calculated Fields Form"
All exposed Dwbooster Calculated Fields Form instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Calculated Fields Form"
HTTP body or banner mentions "Calculated Fields Form" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2023-6446
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2023-6446
Censys host search filtered to this CVE id.
grep.app
CVE-2023-6446
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2023-6446
GitHub code search for direct mentions.
Google dork
"CVE-2023-6446" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (4)

CVE-2023-64464 repos
w181496/Web-CTF-CheatsheetRuby
Web CTF CheatSheet 🐈
★ 2,977·updated 8mo ago
sunlei/awesome-starsPython
My GitHub stars.
★ 8·updated 1mo ago
dick318/awesome-starsunknown
★ 8·updated today
Krishcalin/AI-Secure-Posture-ManagementPython
This is an AI Security Posture Management (AI-SPM) tool built on Python
★ 1·updated 2mo ago
We haven't classified any articles referencing CVE-2023-6446 yet. The external references above still apply.